The most pressing issue addressed by the update, which brings Drupal 8 to version 8.3.4 and Drupal 7 to Drupal 7.56, could have led to code execution, the content management software’s security team warned. The YAML parser in Drupal 8, PECL, failed to handle PHP objects safely during operations with Drupal Core, according to the advisory. That could have opened it up to remote code execution.

A separate, less critical issue, also existed in Drupal 8. Until it was fixed, the file REST resource failed to properly validate fields when manipulating files. Only select sites were vulnerable, Drupal says. A site would had to have had RESTful Web Services module enabled, the file REST resource enabled, and allowed PATCH requests. On top of that an attacker would have had to been able to register a user account on said site, with permissions to upload files and to modify the file resource.

The last bug affected both Drupal 7 and Drupal 8 and was being exploited by attackers for spam purposes in the wild, the advisory reads. The issue, only marked moderate criticality by developers, was an access bypass vulnerability at its crux.

“Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users,” the advisory reads, “Drupal core did not previously provide this protection.”

The vulnerability only affects sites that allow anonymous users to upload files into a private system.

It’s the first set of updates for Drupal since April, when the CMS fixed another access bypass vulnerability in its core engine. The service said at the time websites were vulnerable under certain conditions. Similar to the REST resource bug fixed this week, April’s bug only affected sites that had RESTful Web Services module enabled and sites that allowed attackers to get or register a user account.

As it’s a security update, Drupal is strongly recommending users on 7.x running versions prior to 7.56, and 8.x, prior to 8.3.4, to update to the latest versions.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

Protected by

{"id": "DRUPAL-PATCHES-THREE-VULNERABILITIES-IN-CORE-ENGINE-2/126466", "bulletinFamily": "info", "title": "Drupal Patches Three Vulnerabilities in Core", "description": "Developers with Drupal patched three vulnerabilities, one critical, one being exploited in the wild, in Drupal\u2019s core engine [on Wednesday](<https://www.drupal.org/SA-CORE-2017-003>).\n\n> Drupal 7.56 and 8.3.4 are security releases. Update your sites. <https://t.co/ik3TB2YJtt>\n> \n> \u2014 Drupal Security (@drupalsecurity) [June 21, 2017](<https://twitter.com/drupalsecurity/status/877596509482524673>)\n\nThe most pressing issue addressed by the update, which brings Drupal 8 to version 8.3.4 and Drupal 7 to Drupal 7.56, could have led to code execution, the content management software\u2019s security team warned. The YAML parser in Drupal 8, PECL, failed to handle PHP objects safely during operations with Drupal Core, according to the advisory. That could have opened it up to remote code execution.\n\nA separate, less critical issue, also existed in Drupal 8. Until it was fixed, the file REST resource failed to properly validate fields when manipulating files. Only select sites were vulnerable, Drupal says. A site would had to have had RESTful Web Services module enabled, the file REST resource enabled, and allowed PATCH requests. On top of that an attacker would have had to been able to register a user account on said site, with permissions to upload files and to modify the file resource.\n\nThe last bug affected both Drupal 7 and Drupal 8 and was being exploited by attackers for spam purposes in the wild, the advisory reads. The issue, only marked moderate criticality by developers, was an access bypass vulnerability at its crux.\n\n\u201cPrivate files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users,\u201d the advisory reads, \u201cDrupal core did not previously provide this protection.\u201d\n\nThe vulnerability only affects sites that allow anonymous users to upload files into a private system.\n\nIt\u2019s the first set of updates for Drupal [since April](<https://threatpost.com/drupal-closes-access-bypass-vulnerability-in-core-engine/125080/>), when the CMS fixed another access bypass vulnerability in its core engine. The service said at the time websites were vulnerable under certain conditions. Similar to the REST resource bug fixed this week, April\u2019s bug only affected sites that had RESTful Web Services module enabled and sites that allowed attackers to get or register a user account.\n\nAs it\u2019s a security update, Drupal is strongly recommending users on 7.x running versions prior to 7.56, and 8.x, prior to 8.3.4, to update to the latest versions.", "published": "2017-06-22T12:22:00", "modified": "2017-06-22T16:22:11", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/drupal-patches-three-vulnerabilities-in-core-engine-2/126466/", "reporter": "Chris Brook", "references": ["https://threatpost.com/drupal-closes-access-bypass-vulnerability-in-core-engine/125080/", "https://twitter.com/drupalsecurity/status/877596509482524673", "https://t.co/ik3TB2YJtt", "https://www.drupal.org/SA-CORE-2017-003"], "cvelist": [], "type": "threatpost", "lastseen": "2017-06-22T22:22:29", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "38e828a3dfd229334787bc0cd7242afd"}, {"key": "href", "hash": "dcb38c820d53b1763647ba47ec373bcc"}, {"key": "modified", "hash": "69a0c87cd1803495bbcbc71b2b8d88ff"}, {"key": "published", "hash": "5ca52666714a40740926f707a6b3412f"}, {"key": "references", "hash": "6d5e57ff2d6fbab12034c89b97643326"}, {"key": "reporter", "hash": "efd68987c586e9903d32b310cc9aa2aa"}, {"key": "threatPostCategory", "hash": "535e2de9168013bbfc31965016086243"}, {"key": "title", "hash": "7e43d98d417390c6f476b2f44e44fe38"}, {"key": "type", "hash": "78295e0f58b887188b62cad09f8e24d4"}], "hash": "cb6a3fa9f076790e26fffb3e8e245f88fab0e9091b70bb070b503989c6a70fe9", "viewCount": 14, "enchantments": {"vulnersScore": 6.8}, "objectVersion": "1.3", "threatPostCategory": "Vulnerabilities"}